ST17-001: Securing the Internet of Things

["US-CERT" <US-CERT () ncas us-cert gov>]

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



ST17-001: Securing the Internet of Things [ https://www.us-cert.gov/ncas/tips/ST17-001 ] 11/16/2017 04:52 PM EST 
Original release date: November 16, 2017

The Internet of Things refers to any object or device that sends and receives data automatically through the Internet. 
This rapidly expanding set of things includes tags (also known as labels or chips that automatically track objects), 
sensors, and devices that interact with people and share information machine to machine.

Why Should We Care?

Cars, appliances, wearables, lighting, healthcare, and home security all contain sensing devices that can talk to other 
machines and trigger additional actions. Examples include devices that direct your car to an open spot in a parking 
lot; mechanisms that control energy use in your home; control systems that deliver water and power to your workplace; 
and other tools that track your eating, sleeping, and exercise habits.

This technology provides a level of convenience to our lives, but it requires that we share more information than ever. 
The security of this information, and the security of these devices, is not always guaranteed.

What Are the Risks?

Though many security and resilience risks are not new, the scale of interconnectedness created by the Internet of 
Things increases the consequences of known risks and creates new ones. Attackers take advantage of this scale to infect 
large segments of devices at a time, allowing them access to the data on those devices or to, as part of a botnet, 
attack other computers or devices for malicious intent. See Cybersecurity for Electronic Devices [ 
https://www.us-cert.gov/ncas/tips/ST05-017 ], Understanding Hidden Threats: Rootkits and Botnets [ 
https://www.us-cert.gov/ncas/tips/ST06-001 ], and Understanding Denial-of-Service Attacks [ 
https://www.us-cert.gov/ncas/tips/ST04-015 ] for more information.

How Do I Improve the Security of Internet-Enabled Devices?

Without a doubt, the Internet of Things makes our lives easier and has many benefits; but we can only reap these 
benefits if our Internet-enabled devices are secure and trusted. The following are important steps you should consider 
to make your Internet of Things more secure.

*Evaluate your security settings.* Most devices offer a variety of features that you can tailor to meet your needs and 
requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being 
attacked. It is important to examine the settings, particularly security settings, and select options that meet your 
needs without putting you at increased risk. If you install a patch or a new version of software, or if you become 
aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See 
Good Security Habits  [ https://www.us-cert.gov/ncas/tips/ST04-003 ]for more information.

*Ensure you have up-to-date software.* When manufacturers become aware of vulnerabilities in their products, they often 
issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your 
devices software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding 
Patches  [ https://www.us-cert.gov/ncas/tips/ST04-006 ]for more information.

*Connect carefully.* Once your device is connected to the Internet, its also connected to millions of other computers, 
which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. 
See Securing Your Home Network  [ https://www.us-cert.gov/ncas/tips/ST15-002 ]for more information.

*Use strong passwords.* Passwords are a common form of authentication and are often the only barrier between you and 
your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These 
default passwords are easily found online, so they don't provide any protection. Choose strong passwords to help secure 
your device. See Choosing and Protecting Passwords  [ https://www.us-cert.gov/cas/tips/ST04-002.html ]for more 
information.

Additional Information

The following organizations offer additional information about this topic:


  * Online Trust Alliance: https://otalliance.org/smarthome 
  * Open Web Application Security Project (OWASP):
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
https://www.owasp.org/index.php/IoT_Security_Guidance 
  * Atlantic Council: http://www.atlanticcouncil.org/publications/issue-briefs/smart-homes-and-the-internet-of-things 
  * Department of Homeland Security: https://www.dhs.gov/securingtheIoT 
  * Stop.Think.Connect.: https://www.dhs.gov/stopthinkconnect 
________________________________________________________________________

Authors: Stop.Think.Connect. and National Cybersecurity and Communications Integration Center 
(NCCIC)________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]